mirror/FreshRSS
0
0
Fork 0
mirror of https://github.com/FreshRSS/FreshRSS.git synced 2026-04-04 06:35:40 -04:00
Code Issues Packages Projects Releases Wiki Activity

Missing checkUsername and const patten

Browse Source 
https://github.com/FreshRSS/FreshRSS/pull/1423

https://github.com/YunoHost-Apps/freshrss_ynh/issues/27#issuecomment-279792363
This commit is contained in:
Alexandre Alapetite
2017-02-25 12:39:08 +01:00
parent 2e871a0adf
commit 271a1fdc89
11 changed files with 17 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/Controllers/javascriptController.php
View File

@@ -26,7 +26,7 @@ class FreshRSS_javascript_Controller extends Minz_ActionController {
header('Pragma: no-cache');
$user = isset($_GET['user']) ? $_GET['user'] : '';
if (ctype_alnum($user)) {
if (FreshRSS_user_Controller::checkUsername($user)) {
try {
$salt = FreshRSS_Context::$system_conf->salt;
$conf = get_user_configuration($user);

9
app/Controllers/userController.php
View File

@@ -34,9 +34,14 @@ class FreshRSS_user_Controller extends Minz_ActionController {
return $passwordHash == '' ? '' : $passwordHash;
}
/**
* The username is also used as folder name, and part of SQL table name.
* '_' is a reserved internal username.
*/
const USERNAME_PATTERN = '[0-9a-zA-Z]|[0-9a-zA-Z_]{2,38}';
public static function checkUsername($username) {
$match = '/^[0-9a-zA-Z_]{1,38}$/';
return preg_match($match, $username) === 1;
return preg_match('/^' . self::USERNAME_PATTERN . '$/', $username) === 1;
}
/**

2
app/Models/Feed.php
View File

@@ -442,7 +442,7 @@ class FreshRSS_Feed extends Minz_Model {
file_put_contents(USERS_PATH . '/_/log_pshb.txt', date('c') . "\t" . $text . "\n", FILE_APPEND);
}
$currentUser = Minz_Session::param('currentUser');
if (ctype_alnum($currentUser) && !file_exists($path . '/' . $currentUser . '.txt')) {
if (FreshRSS_user_Controller::checkUsername($currentUser) && !file_exists($path . '/' . $currentUser . '.txt')) {
touch($path . '/' . $currentUser . '.txt');
}
}

2
app/Models/UserDAO.php
View File

@@ -85,7 +85,7 @@ class FreshRSS_UserDAO extends Minz_ModelPdo {
}
public static function touch($username = '') {
if (($username == '') || (!ctype_alnum($username))) {
if (!FreshRSS_user_Controller::checkUsername($username)) {
$username = Minz_Session::param('currentUser', '_');
}
return touch(join_path(DATA_PATH , 'users', $username, 'config.php'));

2
app/install.php
View File

@@ -553,7 +553,7 @@ function printStep2() {
<div class="form-group">
<label class="group-name" for="default_user"><?php echo _t('install.default_user'); ?></label>
<div class="group-controls">
<input type="text" id="default_user" name="default_user" required="required" size="16" maxlength="16" pattern="[0-9a-zA-Z_]{1,16}" value="<?php echo isset($_SESSION['default_user']) ? $_SESSION['default_user'] : ''; ?>" placeholder="<?php echo httpAuthUser() == '' ? 'alice' : httpAuthUser(); ?>" tabindex="3" />
<input type="text" id="default_user" name="default_user" required="required" size="16" maxlength="16" pattern="<?php echo FreshRSS_user_Controller::USERNAME_PATTERN; ?>" value="<?php echo isset($_SESSION['default_user']) ? $_SESSION['default_user'] : ''; ?>" placeholder="<?php echo httpAuthUser() == '' ? 'alice' : httpAuthUser(); ?>" tabindex="3" />
</div>
</div>

2
app/views/auth/formLogin.phtml
View File

@@ -9,7 +9,7 @@
<input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
<div>
<label for="username"><?php echo _t('gen.auth.username'); ?></label>
<input type="text" id="username" name="username" size="16" required="required" maxlength="16" pattern="[0-9a-zA-Z_]{1,16}" autofocus="autofocus" />
<input type="text" id="username" name="username" size="16" required="required" maxlength="16" pattern="<?php echo FreshRSS_user_Controller::USERNAME_PATTERN; ?>" autofocus="autofocus" />
</div>
<div>
<label for="passwordPlain"><?php echo _t('gen.auth.password'); ?></label>

2
app/views/auth/register.phtml
View File

@@ -5,7 +5,7 @@
<input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
<div>
<label class="group-name" for="new_user_name"><?php echo _t('gen.auth.username'), '<br />', _i('help'), ' ', _t('gen.auth.username.format'); ?></label>
<input id="new_user_name" name="new_user_name" type="text" size="16" required="required" maxlength="16" autocomplete="off" pattern="[0-9a-zA-Z_]{1,16}" />
<input id="new_user_name" name="new_user_name" type="text" size="16" required="required" maxlength="16" autocomplete="off" pattern="<?php echo FreshRSS_user_Controller::USERNAME_PATTERN; ?>" />
</div>
<div>

2
app/views/user/manage.phtml
View File

@@ -22,7 +22,7 @@
<div class="form-group">
<label class="group-name" for="new_user_name"><?php echo _t('admin.user.username'); ?></label>
<div class="group-controls">
<input id="new_user_name" name="new_user_name" type="text" size="16" required="required" maxlength="16" autocomplete="off" pattern="[0-9a-zA-Z_]{1,16}" placeholder="demo" />
<input id="new_user_name" name="new_user_name" type="text" size="16" required="required" maxlength="16" autocomplete="off" pattern="<?php echo FreshRSS_user_Controller::USERNAME_PATTERN; ?>" placeholder="demo" />
</div>
</div>

2
cli/reconfigure.php
View File

@@ -45,7 +45,7 @@ foreach ($dBparams as $dBparam) {
}
$config->db = $db;
if (!ctype_alnum($config->default_user)) {
if (!FreshRSS_user_Controller::checkUsername($config->default_user)) {
fail('FreshRSS invalid default username (must be ASCII alphanumeric): ' . $config->default_user);
}

2
lib/lib_rss.php
View File

@@ -285,7 +285,7 @@ function uSecString() {
}
function invalidateHttpCache($username = '') {
if (($username == '') || (!ctype_alnum($username))) {
if (!FreshRSS_user_Controller::checkUsername($username)) {
Minz_Session::_param('touch', uTimeString());
$username = Minz_Session::param('currentUser', '_');
}

2
p/api/greader.php
View File

@@ -152,7 +152,7 @@ function authorizationToUser() {
$headerAuthX = explode('/', $headerAuth, 2);
if (count($headerAuthX) === 2) {
$user = $headerAuthX[0];
if (ctype_alnum($user)) {
if (FreshRSS_user_Controller::checkUsername($user)) {
FreshRSS_Context::$user_conf = get_user_configuration($user);
if (FreshRSS_Context::$user_conf == null) {
Minz_Log::warning('Invalid API user ' . $user . ': configuration cannot be found.');